CVE-2018-3990
Description
An exploitable pool corruption vulnerability exists in the 0x8200E804 IOCTL handler functionality of WIBU-SYSTEMS WibuKey.sys Version 6.40 (Build 2400). A specially crafted IRP request can cause a buffer overflow, resulting in kernel memory corruption and, potentially, privilege escalation. An attacker can send an IRP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in WibuKey.sys IOCTL handler 0x8200E804 allows local attackers to corrupt kernel pool memory and escalate privileges to SYSTEM.
Vulnerability
A pool corruption vulnerability exists in the IOCTL handler for control code 0x8200E804 in WIBU-SYSTEMS WibuKey.sys Version 6.40 (Build 2400) [1]. The vulnerable function sub_A382D0F0 performs an out-of-bounds write when processing a specially crafted IRP request, leading to a buffer overflow in kernel pool memory [1]. The WibuKey device is accessible to all users with RW permissions, meaning any local user can send IOCTL requests to trigger this code path [1]. Affected version: WibuKey.sys 6.40 (Build 2400) on Windows 7 x86 [1].
Exploitation
An attacker must have local access to the system and the ability to send IOCTL requests to the \Device\WibuKey device [1]. No authentication or elevated privileges are required because the device is world-writable [1]. By sending a specially crafted IRP request with the 0x8200E804 control code, the attacker can cause the vulnerable function to write beyond the bounds of an allocated kernel pool buffer [1]. The exploit sequence involves constructing an IRP that triggers the overflow in the pool allocator.
Impact
Successful exploitation results in kernel memory corruption (CWE-787: Out-of-bounds Write) [1]. This corruption can lead to a denial of service or, more critically, privilege escalation from a local unprivileged user to SYSTEM level [1]. The CVSSv3 score is 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability [1].
Mitigation
As of the publication date (2019-02-05), no official patch was available from WIBU-SYSTEMS [1]. Users should monitor vendor advisories for a fix and restrict access to the WibuKey device by modifying ACLs to limit IOCTL submission to trusted users only [1]. If an update becomes available, it should be applied immediately. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Integer overflow in bounds check allows out-of-bounds write via memcpy in the 0x8200E804 IOCTL handler."
Attack vector
An unprivileged user sends a specially crafted IOCTL request (control code 0x8200E804) to the \Device\WibuKey device, which has default DACL granting "RW Everyone" access [ref_id=1]. The input buffer contains attacker-controlled values for fields v22 (unsigned10) and v21 (dword14). By setting v22 to a value in the range 0xFFFFFFF4–0xFFFFFFFF, the check at line 18 (v4 >= v22 + 12) passes due to integer overflow, and memcpy at line 20 copies v22 bytes from the user-supplied buffer into an output buffer that is too small, causing pool corruption [CWE-787].
Affected code
The vulnerable function is sub_A382D0F0 in WibuKey.sys Version 6.40 (Build 2400), specifically the IOCTL handler for control code 0x8200E804 [ref_id=1]. The flaw resides in the bounds check at line 18 and the subsequent memcpy at line 20, where attacker-controlled values v22 and v21 (from buffer fields unsigned10 and dword14) bypass the check via integer overflow.
What the fix does
The advisory states that a vendor patch was released on 2018-12-19, but no patch diff is included in the bundle [ref_id=1]. The remediation would need to correct the integer overflow in the bounds comparison at line 18 (e.g., by validating that v22 does not exceed the actual allocated output buffer size before calling memcpy) and/or by clamping v22 to a safe maximum derived from the output buffer length rather than from user-supplied values.
Preconditions
- authAttacker must be able to open the \Device\WibuKey device (default DACL grants RW Everyone)
- inputAttacker sends a DeviceIoControl call with IOCTL code 0x8200E804
- inputThe input buffer must contain crafted values for unsigned10 (v22) and dword14 (v21) to trigger integer overflow
Reproduction
The advisory includes a Python PoC using pywin32 [ref_id=1]. The script opens \\.\WibuKey, sets outBufferLen to 0xC, and crafts an input buffer where unsigned10=0xFFFFFFFE and dword14=0xFFFFFFFD. When DeviceIoControl is called with IOCTL 0x8200E804, the integer overflow in the bounds check causes memcpy to write far beyond the allocated output buffer, triggering a bug check 0xCD (PAGE_FAULT_BEYOND_END_OF_ALLOCATION).
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.securityfocus.com/bid/107005mitrevdb-entryx_refsource_BID
- cert-portal.siemens.com/productcert/pdf/ssa-760124.pdfmitrex_refsource_CONFIRM
- cert-portal.siemens.com/productcert/pdf/ssa-844562.pdfmitrex_refsource_CONFIRM
- cert-portal.siemens.com/productcert/pdf/ssa-902727.pdfmitrex_refsource_CONFIRM
- talosintelligence.com/vulnerability_reports/TALOS-2018-0658mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.